Model Data Sharing Agreement Information and Privacy Commissioner of
Transcription
Model Data Sharing Agreement Information and Privacy Commissioner of
Information and Privacy Commissioner of Ontario Model Data Sharing Agreement Tom Wright Commissioner December 1995 Information and Privacy Commissioner of Ontario 2 Bloor Street East Suite 1400 Toronto, Ontario CANADA M4W 1A8 416-326-3333 1-800-387-0073 Fax: 416-325-9195 TTY (Teletypewriter): 416-325-7539 Website: www.ipc.on.ca Table of Contents Introduction...................................................................................................... 1 Model Agreement.............................................................................................. 2 Definitions......................................................................................................... 2 Model Data Sharing Agreement........................................................................ 3 Introduction Government organizations which are subject to the Freedom of Information and Protection of Privacy Act (the provincial Act) and the Municipal Freedom of Information and Protection of Privacy Act (the municipal Act) sometimes share personal information. The Information and Privacy Commissioner/Ontario (IPC) has drafted a model agreement to assist these organizations in complying with the privacy provisions of the Acts when sharing data containing personal information. The Acts provide individuals with two legal rights: • The right of access to government information, including personal information about themselves. • The right to privacy with respect to the protection of their personal information contained in government records. However, the right to privacy is not absolute. In certain circumstances, the right to privacy must be weighed against various public interests. While the IPC recognizes this, a few words about the privacy-invasive nature of data sharing are considered to be warranted. Sharing personal information between two organizations runs counter to two of the most fundamental principles of data protection — that personal information should be collected directly from the individual to whom it pertains, and should only be used for the purpose for which it was collected [with limited exceptions]. Data sharing respects neither of these principles. Data sharing involves information that has been collected indirectly, and used for a purpose which may not have been intended at the time of the original collection. Government organizations may want to share data for the purpose of comparing or matching two data bases. For example, they may try to identify individuals who should not be receiving services from more than one organization. This data matching is sometimes referred to as a "fishing expedition" which compromises the privacy of the majority in an attempt to capture the suspect few. Data sharing between organizations may lead to individuals' loss of control over their personal information. Therefore, where possible, sharing should not occur without exploring less privacyintrusive means of meeting a specific objective. Before making a decision to share personal data, organizations should consider all practical alternatives which are more privacy protective, and all relevant information. They should also consider the merits of any contemplated data sharing and whether sharing is appropriate. The IPC believes that any sharing of personal information should be supported by a written "Data Sharing Agreement." Such an agreement will clarify the rights and obligations of all parties in a data sharing activity and thereby ensure compliance with the Acts. 1 Although government organizations may be subject to other legislation, regulation or business practice, this model agreement only addresses privacy issues related to the Acts. Model Agreement The attached model agreement contains the minimum issues that should be considered when an organization first contemplates conducting a data sharing activity. The model includes suggested wording. Text within the square brackets [ ] will vary. The "Notes" and "Guidelines" sections review each issue in detail to help organizations understand the specific types of information to examine. The "Notes" apply to the issues which must be addressed and "Guidelines" apply to issues which should be considered. Where sections of the Acts are cited, the sections of the provincial Act appear first, followed by a slash (/) and the corresponding sections of the municipal Act, e.g., 38(2)/28(2). Definitions For the purposes of this model Data Sharing Agreement, the IPC defines "data sharing" as: The exchanging, collecting or disclosing of "personal information" by an organization with other organizations such as any federal or provincial government ministry, agency, board, or commission, any municipality or local government agency, city, town, village, police service, any private company, or any foreign government. This includes sharing for purposes of "computer matching" as defined in the Ontario Government's Management Board of Cabinet's Directive 8-2. The data sharing activity may be carried out by using any transmission method (paper/electronic), and may take place over any time period (daily/monthly/etc.). "Personal information" is defined in section 2(1) of both Acts. Management Board of Cabinet's Directive 8-2, defines "computer matching" as: A computerized comparison of two or more databases of personal information that were originally collected for different purposes. The computer matching program creates or merges files on identifiable individuals to identify matters of interest. It should be noted that Directive 8-2 applies only to organizations that are subject to the provincial Act. 2 Model Data Sharing Agreement AGREEMENT [Indicate the title of the agreement concerning the sharing of personal information.] BETWEEN [Organization A], (hereinafter referred to as "the disclosing party") OF THE FIRST PART AND [Organization B], (hereinafter referred to as "the collecting party") OF THE SECOND PART WHEREAS … Notes: • Identify all the parties to the Agreement. • Outline the reasons for the Data Sharing Agreement and indicate any legislative authority for the disclosure and the collection of the personal information. (For instance, the legislation that governs the program activity.) THE PARTIES AGREE AS FOLLOWS: 1. DEFINITIONS Notes: • Include definitions of any terms which may be unique to the subject matter of the Agreement, or which may not be common knowledge, e.g., program terms, acronyms, etc. 2. PURPOSE OF THE DATA SHARING The purpose of this data sharing activity is [state the specific purpose for both the collection and disclosure of the personal information]. Guidelines: • If personal information is shared for research purposes, the organization should consider the terms and conditions relating to security and confidentiality, as outlined in section 10 of Regulation 460/section 10 of Regulation 823 under the Act. If so, identify whether the personal information will be used for research or administrative purposes. 3 • Identify whether the personal information will be linked or matched with other data banks in order to achieve the purpose of the data sharing activity. • If personal information is shared to facilitate a computer match, and a provincial organization is involved, state the purpose of the match and whether a Computer Matching Assessment has been sent to the IPC for comment as required by Management Board Directive 8-2. • Organizations should prepare a detailed business case outlining why there is a need for data sharing. The business case should: - Identify the goals or objectives of the data sharing activity and the anticipated benefits. • Identify the potential risks or consequences of not conducting the data sharing activity. • Clarify why personal information must be shared at this time. • Clarify why the personal information needs to include personal identifiers. • State the purpose(s) for which the personal information was originally collected. • Identify why the personal information must be collected indirectly and the advantages of sharing the data against alternative methods of achieving the same objectives. 3. AUTHORITY TO SHARE DATA Section [specify the section of the Act which provides the authority to share data] authorized the collection and/or disclosure of this personal information. Guidelines: • Organizations must comply with sections 38(2)/28(2) of the Act with respect to the authority to collect the personal information being shared, and with section 42/32 of the Act with respect to the disclosure of that personal information. 4. PERSONAL INFORMATION TO BE SHARED The disclosing party will provide to the collecting party: (a) [List all elements of personal information that will be disclosed and collected for each purpose that has been identified above.] (b) (c) 4 The disclosing party will provide to the collecting party, a computer disk of the personal information that is identified in clause [specify clause in Agreement], on [specify frequency]. Guidelines: • Identify whether personal information is about one individual or a group of individuals. • Estimate the number of records to be shared and the current storage format or medium, for example; computer tape, computer disk, paper, etc. • Identify how the personal information will be disclosed and the frequency of data sharing. • The exact nature of the personal information to be shared must be identified in detail. The parties should use the definition of personal information in section 2(1) of the Act as the basis for its description. Only those components of personal information that are absolutely necessary to achieve the purpose of the data sharing activity should be shared. 5. USE OF PERSONAL INFORMATION The information provided by the disclosing party to the collecting party shall only be used in compliance with section(s) [state the sections] of the Freedom of Information and Protection of Privacy Act or Municipal Freedom of Information and Protection of Privacy Act to: (a) [list specific use of personal information] (b) [list other uses of personal information (if applicable)] Neither party shall use the personal information provided under this Agreement for any purpose other than that set out in the Agreement and which is specifically authorized by the Act. Guidelines: • In addition, the Agreement should include confidentiality provisions to ensure that any personal information obtained/disclosed in connection with the Agreement, is not subsequently disclosed unless the disclosure is in compliance with section 42/32 of the Act. • Describe in detail the use(s) of the personal information and how this use complies with the Act, and that the personal information will not be used for purposes other than those set out in the Data Sharing Agreement. 5 6. MANNER OF COLLECTION [State which section(s) of the Act permits the collection of personal information indirectly. If no section applies, the collecting party (if subject to the Act) must apply to the IPC for an indirect collection authorization.] Guidelines: • Section 39(1)/29(1) of the Act requires organizations to collect personal information directly from the individual to whom it relates unless certain conditions apply. The organization should specify which of the conditions in section 39(1)/29(1) of the Act applies to the collection of the personal information. 7. NOTICE REQUIREMENT Notice to individuals to whom the personal information relates shall be provided by the collecting party in accordance with section 39(2) and (3)/29(2) and (3) of the Act. OR The collecting party must apply to the responsible minister for a waiver of notice in accordance with section 39(2)/29(3) of the Act. Guidelines: • Describe how, and at what stage of the data sharing activity, the notice provisions will be complied with. 8. METHOD OF SHARING DATA Personal information described in clause 4 above, shall [describe the procedures or methods that will be used to share the personal information (e.g., photocopies of hard copy records, copying of computer tapes or disks, electronic data interchange, direct electronic linkage, etc.)]. Notes: • The organization(s) should also: - Identify what (if any) personal information will be linked or matched with other information in order to achieve the purpose of the data sharing activity. - Identify the sampling techniques to be used, if only a sample of records is needed. - Identify any technical problems involved with the data sharing and the strategy which has been developed to minimize these problems. (e.g., physical loss of data during transfer.) 6 9. ACCURACY AND SECURITY OF THE PERSONAL INFORMATION To ensure compliance with section 40(2)/30(2) of the Act, the parties shall . . . Notes: • Describe what steps will be taken to verify the accuracy and completeness of the personal information before it is used. • Identify the steps that will be taken to ensure that the personal information is up-todate. • Describe the measures that will be taken to ensure that the personal information will be protected against unauthorized access and that only authorized persons will have access to it. • The organization should identify the measures that will be used to ensure that personal information shared through this Data Sharing Agreement is protected against loss and unauthorized access during transfer, as well as unauthorized access, use and disclosure after transfer. • For any personal information stored on a computer: - identify the method of transfer; • identify the controls in place to ensure the security and completeness of transmission (encryption); • identify the controls in place to ensure that only the required personal information will be transferred; and • describe the types of audit trails and/or management reports produced to ensure that personal information will be processed in a complete and accurate manner. Guidelines: Describe the steps that will be taken to ensure compliance with the requirement under the Act to attach a statement of disagreement to an individual's personal information, reflecting any correction that was requested by that individual but was not made by the organization. 10. DURATION OF DATA SHARING AND RETENTION OF PERSONAL INFORMATION This Agreement shall commence on, and take affect from [start date] and will terminate on [termination date]. 7 To ensure compliance with section 40(1)/30(1) of the Act, the information collected for the purposes of this Agreement shall be retained for a period of [indicate the length of time the personal information will be retained]. Notes: • State whether the proposed data sharing will be a one-time occurrence, time-limited, or ongoing. Guidelines: • Describe in detail what will happen to any personal information upon completion of the Agreement. It is preferable that there is a clause committing each party to either return or destroy the collected personal information in compliance with the Act. This final activity should be confirmed in writing. 11. TERMINATION OF THE DATA SHARING ACTIVITY In the event of the termination of this Agreement, the personal information shared under this Agreement shall be returned to the disclosing party, or disposed of by [supply details of the disposal]. Each party shall send a letter to the other confirming that the disposal has been done in the agreed manner. Notes: • Describe in detail what will happen to any personal information upon termination of the Agreement. Upon termination of the Agreement, it is preferable that there is a clause committing each party to either return or destroy the collected personal information in compliance with the Act. This final activity must be confirmed in writing. Guidelines: The organization should ensure that the Data Sharing Agreement addresses the disposition of the personal information upon termination of the Agreement. Ideally, the disclosing party should regain custody of the personal information disclosed to the collecting party, especially if the collecting party is not subject to the Act. 12. PERSONAL INFORMATION BANKS The disclosing party shall attach or link to the personal information bank this new use of personal information in accordance with section 46/35 of the Act. The collecting party shall create a personal information bank in its directory of records in accordance with section 45/34 of the Act. 8 Notes: State whether the index of Personal Information Banks will be amended to reflect any new uses/ disclosures as a result of the data sharing. 13. AMENDING PROCEDURES This Agreement may be amended by the written agreement of the parties herein. Notes: • Any amendments must comply with the requirements of the Act. 14. CHANGES THAT AFFECT THE AGREEMENT The parties undertake to give one another written notice of any changes in legislation, regulations or policies respecting those parties and programs that are likely to affect this Agreement. 15. OTHER CLAUSES The parties agree that any policies or procedures dealing with the security, access, retention and disposal of the shared personal information, are in accordance with the Act. Notes: • Include any clauses such as financial arrangements that do not fall under any of the foregoing headings. IN WITNESS WHERE OF this Agreement has been signed on behalf of the disclosing party by [Head of Organization A] [Date] [Witness] IN WITNESS WHERE OF this Agreement has been signed on behalf of the collecting party by [Head of Organization B] [Date] [Witness] Please include all appropriate Appendices. 9 Information and Privacy Commissioner of Ontario 2 Bloor Street East Suite 1400 Toronto, Ontario CANADA M4W 1A8 416-326-3333 1-800-387-0073 Fax: 416-325-9195 TTY (Teletypewriter): 416-325-7539 Website: www.ipc.on.ca